CVE-2024-53865
CVSS 3.1 Score 8.2 of 10 (high)
Details
Summary
CVE-2024-53865 is a vulnerability affecting the "zhmcclient" Python library used for IBM Z HMC Web Services API. In certain cases, this library exposes password-like properties in clear text in its API and HMC logs. Specifically, the 'boot-ftp-password', 'ssc-master-pw', 'zaware-master-pw', 'password', and 'bind-password' properties are at risk when creating or updating partitions, LPARs, image activation profiles, or HMC users, respectively. This issue only impacts users who have enabled the "zhmcclient.api" or "zhmcclient.hmc" loggers and use the relevant functions. The vulnerability has been resolved in version 1.18.1, and users are strongly encouraged to upgrade as no workarounds are available.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.